Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 2nd week of May 2016

New Detection Technique - Hancitor

Hancitor (also known as Tordal and Chanitor) is a downloader used to download other malware and maintain persistence on the system for further communication.

We've added IDS signatures and created the following correlation rule to detect Hancitor:

System Compromise, Trojan infection, Hancitor

New Detection Technique - Ruckguv

Ruckguv is a downloader that is dropped by a malicious macro into a Microsoft Word document. This malware is then used to download other malware families.

We've added IDS signatures and created the following correlation rule to detect Ruckguv:

System Compromise, Trojan infection, Ruckguv

Microsoft Patch Tuesday

This week's updates include Microsoft's Patch Tuesday content. Microsoft fixed several vulnerabilities in their products, including Edge and Internet Explorer. There was also a coordinated release with their partner Adobe.

We've added IDS signatures and correlation rules to detect the following activity:

The following correlation rules have been added due to recent malicious activity:

System Compromise, Trojan infection, IndoXploit

System Compromise, Trojan infection, Saber

Updated Detection Technique - Malware SSL Certificates

We added new Intrusion Detection System signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The new correlation rules use this information to detect C&C communications related to several malware families including:

System Compromise, C&C Communication, Known malicious SSL certificate

System Compromise, C&C Communication, Gozi SSL Activity

System Compromise, C&C Communication, Zeus SSL Certificate

System Compromise, C&C Communication, Ursnif SSL activity

Updated Detection Technique - Exploit Kits

Exploit kits are used in what are called "Drive-by Downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users.

Cybercriminals constantly change the patterns they use within their code to evade detection.

Tor is an open network that enables anonymity and allows users to surf the Internet anonymously. Tor also provides anonymity for servers that can only be accessed through the Tor network and are called hidden services. There are some websites that allow access to Tor hidden services through the Internet without being inside the Tor network. We have created a new correlation rule that will detect when a system is accessing one of these services. Many ransomware schemes use these services to receive payments and conduct other malicious activities.

Environmental Awareness, Anonymous channel, Tor Onion Proxy

Updated Detection Technique - Malicious TOR .onion domain

.onion is a top level domain suffix that is used for hidden services inside the Tor network. Several families of malware use hidden services as a mechanism to communicate with a C&C server and usually use a predefined onion domain.

We have updated a correlation rule that groups together different IDS signatures that detect when a system is trying to resolve a malicious onion domain:

System Compromise, Malware infection, Malicious TOR .onion domain

Updated Detection Technique - Remote Access Tools

The typical attack pattern involves first an attack (exploited vulnerability) and then installation of malware. Often this last step includes a Remote Administration Toolkit (RAT) used to gain control to the compromised machine.

We added IDS signatures and correlation rules to detect the following RAT activity.

System Compromise, Malware RAT, Poison Ivy

System Compromise, Malware RAT, NanoCore

Updated Detection Technique - Sality

Sality was first discovered in 2003 and has advanced over the years to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network for the purpose of relaying spam, proxying of communications, ex-filtrating sensitive data, compromising web servers and/or coordinating distributed computing tasks for the purpose of processing intensive tasks (e.g. password cracking). Since 2010, certain variants of Sality have also incorporated the use of rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered to be one of the most complex and formidable forms of malware to date. We have added IDS signatures and created a correlation rule to detect Sality activity.

System Compromise, Trojan infection, Sality

Updated Detection Technique - Keyloggers

Keylogging malware is used to record a victim's keystrokes when they type on a keyboard. Keyloggers can send a victim's keystrokes to a malicious party or store them for retrieval at a later time. Keylogging malware can be used to steal sensitive data such as login credentials or banking information. We have added IDS signatures and a correlation rule to detect the following key loggers:

System Compromise, Trojan infection, Hawkeye Keylogger

Updated Detection Technique - Ransomware

Last week we added IDS signatures and updated correlation rules to detect several ransomware families.

System Compromise, Ransomware infection, Cryptolocker

System Compromise, Ransomware infection, Torrentlocker

System Compromise, Ransomware infection, CryptXXX

System Compromise, Ransomware infection, Unknown Ransomware

Updated Correlation Rules

The following correlation rules have been updated due to recent malicious activity: